https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49905
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2016-05-02
CC| |msebor at gcc dot gnu.org
Ever confirmed|0 |1
Known to fail| |5.3.0, 6.0
--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
5.1 and 6.1 warn on the first six out of the ten buffer overflows, and on Linux
the program aborts at runtime in __sprintf_chk.
GCC still doesn't diagnose any of the last four problems at compile time (e.g.,
in 'char buf [4]; sprintf (buf, "%s %s", "abc", "def");') It seems that this
class of problems could be handled by enhancing maybe_emit_sprintf_chk_warning
to loop over the format string, recognize more involved format strings with
embedded %s (and other simple directives), and count the number of characters
they emit for constant arguments. For slightly better compile-time coverage
the approach could even assume that simple non-string directives like %i result
in at least one character and compute an optimistic lower bound on the length
of the formatted string.
